OWASP Top Ten 2017
Languages: [en] de |
Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
---|---|---|---|---|---|
App. Specific | Exploitability: 2 | Prevalence: 2 | Detectability: 2 | Technical: 3 | Business ? |
Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks. | Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers. | The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. |
Is the Application Vulnerable? Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include: | How to Prevent Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata. |
Example Attack Scenarios Scenario #1: The application uses unverified data in a SQL call that is accessing account information: | References OWASP External |
Open Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. Copyright 2023, OWASP Foundation, Inc.